Team, Apache NiFi 2.0.0-M1 introduced support for native Python Processors, bringing new capabilities and some new questions. Part of that initial release included the installation of Python pip for dynamic dependency installation in the unofficial Docker images. Although this feature is useful in some development scenarios, pip has several known vulnerabilities, including CVE-2018-20225, related to the potential for passing an option to reference additional repositories. Although NiFi does not use this option, the presence of pip is a notable security concern at the level of runtime package retrieval.
With that background, it seems that we should remove pip from the unofficial Docker image builds. This would bring closer alignment with the convenience binary downloads, which do not have Python support enabled in the default configuration. Although this would require users to build their own images to add pip, it follows the general principle of providing secure defaults. There is a developer usability tradeoff, but we have had similar considerations in the past, and have leaned in the direction of security. Regards, David Handermann
